Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff

Created on ‎08-25-2009 05:30 AM Edited on ‎11-27-2024 05:05 AM By Moderator

Article Id 197751

Troubleshooting Tip: Verifying physical and HA Virtual MAC addresses of FortiGate interfaces

Description

 

This article describes how to verify the MAC addresses assigned to FortiGate interfaces.

Scope

 

FortiGate.

 

Solution

 

Note 1: In the following examples, two MAC addresses are used:

 

  • Current_HWaddr: this is the current hardware address of the interface and the one seen in the network. This address can be changed from the CLI when the FortiGate is running in standalone mode.
  • Permanent_HWaddr: The MAC address programmed by the NIC manufacturer for the Vendor; also called burnt-in MAC address. This address cannot be changed.


By default, the Current_HWaddr is the same as the Permanent_HWaddr.
When configuring HA mode active-active or active-passive, all interface MAC addresses are modified with the corresponding virtual MAC address (based on VDOM ID, port, and HA group).

 

Note 2: How to change a MAC address of a physical interface ( standalone mode only):

 

config system interface
    edit "port1"
        set macaddr 00:01:02:03:04:05
    next
end

 

  1. The following commands display the current and permanent hardware addresses for a standalone FortiGate.
    1. Used without any option, the command below will list all interfaces available:

      FGT400-8 # diagnose hardware deviceinfo nic

      Usage:

      diagnose hardware deviceinfo nic <nic name>
      The following NICs are available:
      port4-ha
      port3
      port2
      port1

    2. Used with the interface name, the command will give the MAC address information:


FGT400-8 # diagnose hardware deviceinfo nic port1

[...]
System_Device_Name port1
Current_HWaddr 00:09:0F:85:AD:8B
Permanent_HWaddr 00:09:0F:85:AD:8B
[...]

 

  1. During HA operation, the current hardware address becomes the HA Virtual MAC address as shown below for a FortiGate in a cluster.

FGT400-8 # diagnose hardware deviceinfo nic port1

[...]
System_Device_Name port1
Current_HWaddr 00:09:0F:09:00:00
Permanent_HWaddr 00:09:0F:85:AD:8B
[...]

 
Or:
 
diag sys ha mac
HA mac msg
serial#=FGXXXXXXXXXXX Primary
prio=0, phy_index= 0, itf_name=  mgmt, mac=e8.1c.ba.cc.8a.ad, vmac=00.09.0f.09.c3.00, linkfail=0
prio=0, phy_index= 1, itf_name=    ha, mac=e8.1c.ba.cc.8a.ac, vmac=00.09.0f.09.c3.01, linkfail=1
prio=0, phy_index= 2, itf_name=  wan1, mac=e8.1c.ba.cc.8a.b8, vmac=00.09.0f.09.c3.02, linkfail=0
prio=0, phy_index= 3, itf_name=  wan2, mac=e8.1c.ba.cc.8a.b9, vmac=00.09.0f.09.c3.03, linkfail=1
prio=0, phy_index= 4, itf_name= port1, mac=e8.1c.ba.cc.8a.ba, vmac=00.09.0f.09.c3.04, linkfail=0
prio=0, phy_index= 5, itf_name= port2, mac=e8.1c.ba.cc.8a.bb, vmac=00.09.0f.09.c3.05, linkfail=1
prio=0, phy_index= 6, itf_name= port3, mac=e8.1c.ba.cc.8a.bc, vmac=00.09.0f.09.c3.06, linkfail=1
prio=0, phy_index= 7, itf_name= port4, mac=e8.1c.ba.cc.8a.bd, vmac=00.09.0f.09.c3.07, linkfail=1
prio=0, phy_index= 8, itf_name= port5, mac=e8.1c.ba.cc.8a.be, vmac=00.09.0f.09.c3.08, linkfail=1
 

For more information about how the HA Virtual MAC is built, please consult the related article at the end of this page.

 

Related article:

Technical Tip: HA Cluster virtual MAC addresses

63050
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.